HIPAA Compliance Program

​​​​​​​​​​​Overview of HIPAA

What is HIPAA?​

It is a federal law titled the Health Insurance Portability and Accountability Act (HIPAA).

​Which federal agency oversees HIPAA compliance?

The Department of Health and Human Services (HHS), Office of Civil Rights (OCR).

​Why was HIPAA established?

• To protect employees’ insurance when they have ​​lost or changed jobs.
• To protect the privacy and security of patients’ health information.
• To adopt national standards for electronic health care transactions.
• To improve the efficiency and effectiveness of the health care system.

​What do the HIPAA regulations do for health care?

• Protects patients’ rights regarding their health information, including the right to review it and make decisions about how it is used and disclosed.
• Provides for appropriate use and disclosure of patients’ health information.
• Requires health care providers to implement safeguards to ensure privacy of patients’ health information.

On what exactly do the privacy regulations focus?

• Individually identifiable information, which means it identifies the patient or could be used to identify the patient.
  Paper or electronic patient medical or health records.
• Patient information exchanged verbally.
• Information relating to the past, present, or future physical or mental condition of an individual.
• Research data that identifies individual patients.

Patient Rights Under HIPAA

UT Health San Antonio is committed to protecting and safeguarding the confidential and sensitive information entrusted to us through various means. The UT Health San Antonio Institutional Compliance and Privacy Office (ICPO) ensures that UT Health San Antonio complies with the privacy laws, rules, and policies. We strive to create a culture of privacy awareness and for the highest level of commitment to protecting personally identifiable information.

The ICPO handles issues related to privacy practices, policies, concerns, and complaints. We also act as a resource for patients, staff, and students. The privacy laws provide for certain privacy rights. Read more about Patients Rights under HIPAA.

Forms of Interest

• Notice of Privacy Practices (English)
• Notice of Privacy Practices (Spanish)
• Notice of Privacy Practices – Telemedicine (English)
• Notice of Privacy Practices – Telemedicine (Spanish)

Patient Privacy Policies & Procedures

The Institutional Handbook of Operating Policies (IHOP), Chapter 11 – Patient Privacy Policies, provides governing general oversight, uses and disclosures of protected health information (PHI), patient rights regarding privacy of PHI, and the requirement of all employees, students and non-employees of the Health Science Center to complete mandatory training in patient privacy regulations and policies.

Business Associates

Purpose of Business Associate Agreements

Any person of company that is a Business Associate is required to sign a contract with special language mandated by the privacy rules. Business Associate Agreements (BAA) assist UT Health San Antonio in protecting our patients’ health information when it is released to someone outside our organization.​​

​Definitions:

• ​Business Associate: A Business Associate is a person or entity to which UT Health San Antonio discloses protected health information so that the person/entity can carry out, assist with the performance of, or perform a function or activity for UT Health San Antonio.
• ​​Protected Health Information (PHI): A patient’s or participant’s (in the case of research) health information that identifies the person or can be used to identify the person.

Business Associate Test:

• Is UT Health San Antonio disclosing PHI?
• Does the recipient of the PHI provide a service to, for, or on behalf of UT Health San Antonio?

If the answer to both of the above questions is “yes”, you may have a relationship that requires a business associate agreement.

Not Business Associates

• UT Health San Antonio Workforce: Employees, faculty, residents, students
• Health care workers providing treatment
• Providers with staff privileges at the institution
• Labs
• Individuals or companies with very limited and incidental exposure to health information, such as telephone company, electrician, etc.
• Companies that act as a conduit for PHI, such as the postal service, UPS, private couriers, etc.

Potential Business Associates

• Lawyers
• External auditors or accountants
• Professional translator services
• Answering services
• Consultants hired to conduct audits, perform coding reviews, etc.
• Accreditation agencies
• Shredding and/or documentation storage companies
• Data processing firms or software companies that may be exposed to or use PHI
• Medical transcription services, even if you contract with an individual rather than a company
• Medical equipment service companies handling equipment that holds PHI
• E-prescribing gateways
• Health information organizations

Process for Completing a Business Associate Agreement (BAA)

Department Responsibilities

• Determine when services, functions, or activities are being provided by a vendor, person, or company and in the provision of those services patient health information is being shared
• Ensure BAA is in place prior to services being provided
• Prepare a description of the “purposes for the sharing of PHI” to be included in the BAA
• Contact the Purchasing Department at buscontracts@uthscsa.edu or (210) 562-6203 for assistance in completing the BAA

Purchasing Department (Manager for Contract Administration) Responsibilities

• Complete the BAA for signature
• Assess need for review by the Legal Office and/or the Institutional Compliance & Privacy Office
• Ensure BAA is signed by the vendor and the appropriate institutional signatory authority
• Maintain the original signed BAA

Process for Termination or Non-Renewal of a Contract with a Business Associate

When the institutional data is stored/maintained by the business associate, the following steps will be required

• The department will notify the Purchasing Department, Manager for Contract Administration, to assess the contract and BAA terms
• The Purchasing Department, Manager for Contract Administration, will assess the need for review by the Legal Office and/or the Institutional Compliance & Privacy Office
• The department will ensure the return or destruction of data providing confirmation to the Purchasing Department, Manager for Contract Administration
• The Purchasing Department, Manager for Contract Administration, will maintain that confirmation with the BAA. If it is not feasible to return or destroy, the BAA will continue to extend the protections to limit further use or disclosure by the business associate

Select HIPAA Links

• Office of Civil Rights (OCR)
• Center for Medicare and Medicaid Services (CMS)
• American Dental Association
• American Health Information Mgmt. Assoc. (Search “HIPAA”)
• American Hospital Association
• HIPAA Summit
• Texas Health Information Management Association
• WEDI-Strategic National Implementation Process (SNIP)​

Contacts & Resources

Any questions or concerns related to privacy matters should be directed to the Privacy Team in the Institutional Compliance & Privacy Office at compliance@uthscsa.edu or (210) 567-2014, or by calling the Compliance Hotline at (877) 507-7317.

You can also contact a member of the Privacy Team directly:

• Angelife Pardo, MSIT, CHPC, CISSP, CRISC, PMP
  Director, Privacy Program
  pardoa@uthscsa.edu
• Mark S. Curnow, MS, CHC, CHPS
  Compliance Analyst, Senior
  curnowm@uthscsa.edu
• Bianca De La Fuente, BSBM, CHPC
  Privacy Analyst
  delafuenteb@uthscsa.edu
• Caleb Barrera, CHTS
  Privacy Analyst
  barrerac5@uthscsa.edu